The FritzFrog botnet has returned with a new P2P campaign, with a 10-fold increase in a month. FritzFrog is a P2P botnet detected in January 2020. Over eight months, the botnet managed to infect at least 500 government and business SSH servers. The decentralized P2P botnet, implemented in the Golang programming language, will seek to brute-force cloud instances, servers, and other devices – including routers – that have exposed internet access points.
According to cybersecurity analysts from Akamai Threat Labs, the botnet has emerged with an exponential growth spike since December, after having gone silent following its last attack wave.
“FritzFrog propagates over SSH,” as said by the researchers. “Once it finds a server’s credentials using a simple (yet aggressive) brute force technique, it establishes an SSH session with the new victim and drops the malware executable on the host. The malware then starts listening and waiting for commands.”
24,000 attacks have been recorded and 1,500 hosts have been infected to date, with the bulk being in China. Cryptocurrency is mined via the botnet. The healthcare, education, and government sectors are all on the malware’s hit list. Due to increased capabilities and the use of a proxy network, the malware is also being honed in on WordPress-powered websites. A European TV broadcaster, a Russian healthcare equipment business, and Asian colleges have all been hacked.
Due to various significant characteristics, Akamai believes FritzFrog to be a “next-generation” botnet. This includes the regular update and upgrade cycles, a large lexicon for brute-force assaults, and a “unique” decentralized architecture. In other words, the botnet doesn’t rely on other P2P protocols to work. The newest FritzFrog is updated every day – and sometimes multiple times in a day. In addition to bug fixes, the operators have included a new WordPress function that adds WordPress-based websites to a target list. The lists, however, are empty at the time of writing, implying that this is an attack feature in the development pipeline.
The botnet’s origin is unknown to Akamai. However, some indications demonstrate that the operators are situated in China or are impersonating Chinese operators. For example, a recently introduced file transfer library points to a GitHub repository controlled by a user in Shanghai. Furthermore, the botnet’s crypto mining activity is linked to wallet addresses previously employed by the Mozi botnet, whose controllers were apprehended in China. The cybersecurity company has made a FritzFrog detection tool available on GitHub.